Configuring Property Autodetection for Log Source Types
When you enable Property Autodetection, new properties are automatically generated to capture all fields that are in the events that the selected log source type receives. Configure property autodetection of new properties for a log source type so that you do not need to manually create a custom property for each instance.
By default, Property Autodetection for a log source type is disabled.
- In the DSM Editor, select a log source type or create a new one from the Select Log Source page.
- Click the Configuration tab.
- Click Enable Auto Property Discovery.
Property autodetection works only for structured data that is in JSON, CEF, LEEF, or Name Value Pair format.
- Select the structured data format for the log source type
from the Property Discovery Format list.
If you choose Name Value Pair, in the Delimiter In Name Value Pairs section, enter the delimiter used to separate each name and value, and the delimiter used to separate each Name Value Pair. Delimiters for each pair are automatically created.
- To enable new properties to use in rules and searches, click Enable Properties for use in Rules and Search Indexing.
- In the Autodetection Completion Threshold field,
set the number of consecutive events to inspect for new properties.
If no new properties are discovered when the number of consecutive events are inspected, the discovery process is considered complete and Property Autodetection is disabled. You can manually re-enable Property Autodetection at any time. A threshold value of 0 means that the discovery process perpetually inspects events for the selected log source type.
- Click Save.
The newly discovered properties appear in the Properties tab of the DSM Editor.